General

  • Target

    531df55984e2b66ad9f0dbd639de601e.bin

  • Size

    171KB

  • Sample

    230503-b2n37adc54

  • MD5

    918d7f6baa453d249ac754ed94049115

  • SHA1

    b4d241e964bf833bcedb0467d2c66df0014db027

  • SHA256

    6ffd0a23f224b192b9528c6b13bf203638c74e45b6da2f269d82776a6ca83fc5

  • SHA512

    ee95baa26e91ae186019dce349b27ac76263aeefd58f4413beefd9e6389a98846a23708b418f59662e43a2079503534b6e8cee77152218fff23fc00954c7b2ee

  • SSDEEP

    3072:7Am4qRSwSayg81H1eBfVLbhb7LUxBdhs86kPfHPTXvyjZB5P0e3xevGjkEzDQwz5:FSJ7g0VeBdbh/LUxTR6knvTf8xdkiD0E

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      e3ffa663eeaa0eeda2b5cb06d094cb847f6520df57385c5d7fe5e49d01c99c8f.exe

    • Size

      303KB

    • MD5

      531df55984e2b66ad9f0dbd639de601e

    • SHA1

      dc9d0df60d45c19e668e99a39946d1d39a5d9a09

    • SHA256

      e3ffa663eeaa0eeda2b5cb06d094cb847f6520df57385c5d7fe5e49d01c99c8f

    • SHA512

      1a2029171755e8c7f4f374af5544eef317a0d1635272991b7535f4406a99b4ef5d70985602fd85c8b9eb40de2215c81be496157821f78a013cea74ad2848e72b

    • SSDEEP

      3072:MuFL7HO/Wc2L/rIUpqfM/FqdAt/XOM5TJDTnmhd+:xFL7HQ2LrI7fg2AtXJnmv+

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks